TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

The Dangers of Storing Unencrypted Passwords

2025-09-15 · Read original ↗

ATT&CK techniques detected

17 predictions
T1552.004Private Keys
96%
"abuse? while investigating the domain controller ( dc ), analysts observed that a compromised user executed commands to enumerate and export certificates from the local certificate store. specifically, the attacker accessed the my ( personal ) certificate store using the followin…"
T1552.001Credentials In Files
87%
"the dangers of storing unencrypted passwords this is an offshoot of our other blog, " huntress threat advisory : active exploitation of sonicwall vpns, " which allowed initial access and was followed by the rapid deployment of akira ransomware across the victim environment. this …"
T1486Data Encrypted for Impact
85%
"of the observed attack what happened? the huntress apac region ’ s security operations center ( soc ) detected multiple administrative users executing commands to delete shadow copies across multiple hosts within an organization. upon identifying this suspicious activity, analyst…"
T1552.004Private Keys
77%
"##ef8c4bf86874c9542b4e c : \ cert. pfx note : exporting a certificate in pfx format includes both the public and private keys. if the certificate is used for user or device authentication ( e. g., vpn or rdp with certificate - based auth ), its compromise could allow threat actor…"
T1078Valid Accounts
77%
"them with prior findings. shortly after the outreach, huntress support received confirmation from the partner : the activity attributed to the security engineer account was not performed by their personnel. this revelation confirmed the threat actor had leveraged compromised cred…"
T1556.006Multi-Factor Authentication
74%
"securing all forms of authentication mechanisms, particularly recovery codes, which are often overlooked as “ backup ” credentials. in many systems, recovery codes are designed to bypass mfa in situations where users lose access to their primary authentication device ( e. g., a p…"
T1078Valid Accounts
71%
"of the observed attack what happened? the huntress apac region ’ s security operations center ( soc ) detected multiple administrative users executing commands to delete shadow copies across multiple hosts within an organization. upon identifying this suspicious activity, analyst…"
T1621Multi-Factor Authentication Request Generation
70%
". exe " \ \ 192. 168. 1. 51 \ c $ \ users \ < redacted > \ desktop \ huntress _ recovery _ codes - < redacted >. txt these recovery codes serve as a backup method for bypassing multi - factor authentication ( mfa ) and regaining account access. if compromised, they effectively al…"
T1486Data Encrypted for Impact
69%
"manipulate detection tools, and execute further malicious actions. in this incident, the attacker used exposed huntress recovery codes to log into the huntress portal, close active alerts, and initiate the uninstallation of huntress edr agents, effectively attempting to blind the…"
T1556.006Multi-Factor Authentication
61%
". exe " \ \ 192. 168. 1. 51 \ c $ \ users \ < redacted > \ desktop \ huntress _ recovery _ codes - < redacted >. txt these recovery codes serve as a backup method for bypassing multi - factor authentication ( mfa ) and regaining account access. if compromised, they effectively al…"
T1003OS Credential Dumping
39%
"the dangers of storing unencrypted passwords this is an offshoot of our other blog, " huntress threat advisory : active exploitation of sonicwall vpns, " which allowed initial access and was followed by the rapid deployment of akira ransomware across the victim environment. this …"
T1078.004Cloud Accounts
38%
". exe " \ \ 192. 168. 1. 51 \ c $ \ users \ < redacted > \ desktop \ huntress _ recovery _ codes - < redacted >. txt these recovery codes serve as a backup method for bypassing multi - factor authentication ( mfa ) and regaining account access. if compromised, they effectively al…"
T1111Multi-Factor Authentication Interception
35%
". exe " \ \ 192. 168. 1. 51 \ c $ \ users \ < redacted > \ desktop \ huntress _ recovery _ codes - < redacted >. txt these recovery codes serve as a backup method for bypassing multi - factor authentication ( mfa ) and regaining account access. if compromised, they effectively al…"
T1552Unsecured Credentials
34%
"the dangers of storing unencrypted passwords this is an offshoot of our other blog, " huntress threat advisory : active exploitation of sonicwall vpns, " which allowed initial access and was followed by the rapid deployment of akira ransomware across the victim environment. this …"
T1552.001Credentials In Files
32%
"##ef8c4bf86874c9542b4e c : \ cert. pfx note : exporting a certificate in pfx format includes both the public and private keys. if the certificate is used for user or device authentication ( e. g., vpn or rdp with certificate - based auth ), its compromise could allow threat actor…"
T1003OS Credential Dumping
31%
"##ef8c4bf86874c9542b4e c : \ cert. pfx note : exporting a certificate in pfx format includes both the public and private keys. if the certificate is used for user or device authentication ( e. g., vpn or rdp with certificate - based auth ), its compromise could allow threat actor…"
T1078Valid Accounts
31%
"with legitimate internal network traffic, often appearing as trusted users from sanctioned ip ranges. since edr agents are typically deployed only on known managed endpoints, any rogue systems introduced via vpn that lack the agent remain invisible to the edr. additionally, activ…"

Summary

Threat actors exploited SonicWall VPN, deployed Akira ransomware, and uninstalled Huntress Managed EDR agents after finding plaintext recovery codes. Learn how to secure your credentials and prevent similar attacks.